[00:13.000 --> 00:17.300]  Welcome to Day 2 of AppSec Village. I am your queen, Leora Herman.
[00:17.860 --> 00:20.540]  You might notice that I am sans tiara this year.
[00:20.720 --> 00:23.260]  That bling is saved for in-person occasions.
[00:23.740 --> 00:29.020]  I hope you enjoyed yesterday and are geared up for another great day of fun in AppSec.
[00:29.080 --> 00:33.280]  Speaking of gear, I am inserting a shameless plug for AppSec gear.
[00:33.280 --> 00:38.040]  If you go to appsecvillage.com and click on shop, you can get your own village merch,
[00:38.040 --> 00:40.660]  which helps support our volunteer-run village.
[00:40.660 --> 00:43.160]  Okay, plug for merch over.
[00:43.720 --> 00:45.760]  No village is without its challenges,
[00:45.760 --> 00:51.160]  and I'm still not quite sure how lockpicking village is managing in safe mode.
[00:51.760 --> 00:54.820]  So, no village is without its challenges,
[00:54.820 --> 00:58.160]  and year 2 of AppSec Village brought with it its own set.
[00:58.520 --> 01:03.460]  With DEF CON going virtual, all of our combined superpowers were needed to pull this off.
[01:03.460 --> 01:07.860]  We really appreciate your patience and the cooperation of our speakers and volunteers
[01:07.860 --> 01:10.020]  as we worked things out.
[01:10.020 --> 01:14.220]  It has not been smooth sailing, but we made it.
[01:14.300 --> 01:19.300]  If you were with us last year, you heard how much we value the diversity of our community.
[01:19.920 --> 01:23.260]  I'm not just talking about race, religion, or political views,
[01:23.560 --> 01:26.240]  but diversity in sexuality and gender identity,
[01:26.560 --> 01:30.180]  level of formal education, and security experience.
[01:30.700 --> 01:33.500]  Talking about diversity is just words,
[01:33.500 --> 01:36.040]  and what are words without actions?
[01:36.220 --> 01:39.280]  We must actively embody our ideals every day.
[01:39.280 --> 01:44.640]  And as you can see from this year's leadership, our keynotes, and the speaker lineup,
[01:44.640 --> 01:46.660]  we have put our words into actions.
[01:46.760 --> 01:50.100]  And our first talk for today is certainly action-packed,
[01:50.100 --> 01:52.980]  kicking off day 2 as Frederick Flea Lee.
[01:53.080 --> 01:54.840]  Flea is the CISO at Gusto,
[01:54.840 --> 01:59.100]  the people platform that enables 100,000 plus small businesses nationwide
[01:59.100 --> 02:03.180]  to pay, insure, and provide benefits for their teams.
[02:03.640 --> 02:06.300]  Flea previously headed up information security at Square
[02:06.300 --> 02:11.120]  and held senior security roles at Bank of America, Twilio, and NetSuite.
[02:11.320 --> 02:13.620]  His keynote is Be Like Water,
[02:13.620 --> 02:16.140]  what Bruce Lee can teach us about AppSec.
[02:16.140 --> 02:19.570]  Please join me in welcoming Flea to the virtual stage.
[02:20.500 --> 02:23.180]  As of the recording of this talk,
[02:23.180 --> 02:26.600]  the killers of Breonna Taylor have not been charged.
[02:33.920 --> 02:37.140]  Hey everybody, welcome to my keynote,
[02:37.140 --> 02:43.040]  and welcome to DEF CON Day 2 AppSec Village.
[02:43.040 --> 02:45.140]  I'm super excited to be here.
[02:45.140 --> 02:50.560]  I noticed definitely, definitely, definitely unusual circumstances.
[02:51.300 --> 02:56.380]  Bruce Lee and how I believe he relates to application security
[02:56.380 --> 02:59.800]  and some of the things that we can actually learn from him.
[02:59.900 --> 03:02.900]  Obviously, there's a couple of things, you know, kind of get out of the way,
[03:02.900 --> 03:04.140]  which is introductions.
[03:04.140 --> 03:06.720]  As I said, my name is Frederick Lee.
[03:06.720 --> 03:09.540]  Most people call me Flea.
[03:09.560 --> 03:12.840]  And I want to talk to you, you know, about what I do.
[03:12.840 --> 03:15.800]  I'm currently the CISO of a company called Gusto.
[03:15.800 --> 03:18.360]  We're actually focused on building a people platform
[03:18.360 --> 03:22.620]  that enables small and medium sized businesses to kind of give their employees
[03:22.620 --> 03:27.260]  all those things that, you know, one would want to have a delightful work experience.
[03:27.260 --> 03:29.380]  Gusto is not the only place I've worked at, right?
[03:29.380 --> 03:34.020]  I mean, I've also, you know, led security at Square, a fintech company.
[03:34.480 --> 03:36.820]  You know, I led security at NetSuite.
[03:36.820 --> 03:38.620]  You had a SaaS company.
[03:38.620 --> 03:40.040]  I was at Twilio.
[03:40.380 --> 03:42.260]  I was also at Betfair.
[03:42.260 --> 03:44.660]  So for those of you, you know, fricket gamblers, et cetera,
[03:44.660 --> 03:46.900]  you might remember that name.
[03:47.340 --> 03:51.880]  Fortify, many, many moons ago, and even Bank of America.
[03:52.100 --> 03:56.820]  Those are all just like random companies, all random and all really, really different.
[03:56.820 --> 03:59.680]  And I've had numerous different roles over the years.
[03:59.680 --> 04:02.580]  Like I started my career as a software developer.
[04:02.580 --> 04:04.520]  I'm just writing code like a lot of you.
[04:04.520 --> 04:08.840]  But I've also spent time being a sysadmin, including, you know,
[04:08.840 --> 04:13.820]  like crawling through spaces and running cables, et cetera.
[04:14.200 --> 04:16.440]  You know, it's a really, really fulfilling job.
[04:16.440 --> 04:18.720]  I took that and then I decided, hey, you know what?
[04:18.720 --> 04:22.960]  I want to actually spend more time going back to my roots as a security researcher,
[04:22.960 --> 04:25.980]  practicing security in various different places.
[04:25.980 --> 04:30.800]  And I've been fortunate enough to actually be on several different world class security teams.
[04:30.800 --> 04:35.840]  And I've also been fortunate enough to become a security leader,
[04:35.840 --> 04:42.640]  both as just a direct line manager, director, and ultimately, you know, a couple of stints as being a CISO.
[04:42.680 --> 04:47.880]  With all those things said, you know, similar to my previous experience at other companies,
[04:47.880 --> 04:50.860]  all those roles are also different.
[04:51.280 --> 04:55.020]  But really, none of that should matter. Right?
[04:55.020 --> 04:58.920]  We always do these things in slides, in particular in keynotes, et cetera.
[04:58.920 --> 05:09.300]  Like, oh, let me tell you a little bit about my history with the idea that somehow me having experience being more mature,
[05:09.300 --> 05:13.860]  we just put it that way, and having several decades under my belt,
[05:13.860 --> 05:20.480]  it's somehow meaning that I have something to teach you or that you should be paying attention to me,
[05:20.480 --> 05:26.260]  that you should view people such as myself as, quote unquote, thought leaders.
[05:26.600 --> 05:30.440]  But really, you don't care about my background. Hopefully you don't.
[05:30.780 --> 05:34.580]  Hopefully you're really here because like me, you hear more about Bruce.
[05:34.580 --> 05:45.100]  Bruce Lee is one of my idols and somebody I look up to both as just a good human being and some of the phenomenal things that he's actually done throughout his life.
[05:45.100 --> 05:49.220]  And also as a philosopher and some of the things that we can take away from that.
[05:49.220 --> 05:54.380]  So for those of you that aren't familiar with Bruce Lee, he's a native San Franciscan.
[05:54.380 --> 06:01.820]  A lot of people actually don't know that, you know, probably his big claim to fame is all of the martial arts movies that he's been in.
[06:01.820 --> 06:07.120]  You know, Big Boss, Enter the Dragon, which, you know, obviously everybody knows.
[06:07.260 --> 06:14.600]  But some of the other things I think people forget about, it's like a lot of the work that he's done just in general to make the world a better place.
[06:14.600 --> 06:19.300]  He was instrumental in breaking down lots and lots of stereotypes.
[06:19.300 --> 06:25.220]  So like stereotypes around like Asians in Hollywood and just Asians in society in general.
[06:25.220 --> 06:39.400]  Like he made it OK slash essentially effectively broke through to have strong leading roles for Asians and strong leading roles, particularly for Asian men.
[06:39.400 --> 06:46.060]  But he did even more outside of his Hollywood career because he was a world class martial artist.
[06:46.060 --> 06:58.000]  And he was a big proponent not only of practicing martial arts, but making martial arts available to everybody, regardless of your race, gender, body style, etc.
[06:58.000 --> 07:03.220]  He pushed back on the belief that there was only one type of person.
[07:03.220 --> 07:10.660]  And he also pushed back on the belief that there's only one style of martial arts that was suitable for all things.
[07:10.660 --> 07:23.120]  He really was a Renaissance man. He believed in constantly learning and constantly growing, studying everything from boxing to ballet, even philosophy.
[07:23.940 --> 07:31.620]  He's also known for beating up Wong Jack Man, a Kung Fu practitioner in Oakland.
[07:32.060 --> 07:47.200]  And what was interesting about this situation was that it was related to Bruce Lee's desire to make sure that his learnings and his philosophy and just the advantages of martial arts were available to all people.
[07:47.200 --> 07:58.540]  At a time when a lot of people felt that martial arts, in particular Kung Fu, should only be taught to Chinese people and should not be available to other races.
[07:58.540 --> 08:04.420]  I love this quote that actually recounts Bruce Lee's perspective on the fight. And I'll just read it for you.
[08:04.420 --> 08:10.740]  I'd gotten into a fight in San Francisco with a Kung Fu cat. And after a brief encounter, the son of a bitch started to run.
[08:10.740 --> 08:19.400]  I chased him and, like a fool, kept plunging him behind his head and back. Soon, my fists began to swell from hitting his hard head.
[08:19.480 --> 08:26.880]  Right then, I realized Wing Chun was not too practical and began to alter my way of fighting.
[08:26.880 --> 08:34.800]  This really was kind of like the birth and the inspiration of Bruce Lee to start seeking out better ways to practice martial arts.
[08:34.800 --> 08:46.860]  And ultimately, Lin, you know, lent his way towards creating Jeet Kune Do, a form and his philosophy of martial arts, which essentially means the way of an intercepting fist.
[08:48.040 --> 08:54.140]  Bruce Lee is probably the first true, quote unquote, mixed martial artist.
[08:54.140 --> 08:57.220]  He described his style as hybrid fighting.
[08:58.500 --> 09:02.760]  So Jeet Kune Do, what exactly is it? What is it about, etc.?
[09:02.760 --> 09:18.720]  One of the key principles of Jeet Kune Do is that it's focused on the outcome of a fight, not just the kata, not just practices, not just forms, but really the ultimate goal, which is to essentially stop the fight.
[09:18.720 --> 09:32.660]  He wanted to make sure that his form of martial arts and his philosophy got rid of the dogma, that it allowed you to leverage all the techniques across a wide gamut of martial arts.
[09:32.740 --> 09:42.160]  He also wanted to make sure that when he was training and that his students were training, that they were actually training for realistic scenarios, not just sparring matches and not just Kung Fu competitions.
[09:42.160 --> 09:47.300]  He felt that you needed to be constantly preparing yourself and constantly conditioning yourself.
[09:47.300 --> 09:56.220]  And that with that combination of letting go of dogma and constant preparation, you could ultimately get to a fluid state.
[09:56.220 --> 09:59.980]  So you're always prepared without being stressed.
[09:59.980 --> 10:06.860]  He was a permanent student and he believes that all people should always be learning.
[10:06.860 --> 10:19.320]  I love this quote by him and I think there's so much for us to take away from it, which is absorb what is useful, reject what is useless, add what is essentially your own.
[10:21.300 --> 10:32.700]  I have not invented a new style, composite, modified or otherwise, that is set within distinct form as apart from this method or that method.
[10:32.700 --> 10:39.700]  On the contrary, I hope to free my followers from clinging to styles, patterns or molds.
[10:40.260 --> 10:43.180]  So what does this have to do with APSEC?
[10:43.180 --> 10:47.300]  I understand you. This seems like a really, really drawn out analogy.
[10:47.360 --> 10:50.880]  I promise you that there is something here.
[10:51.840 --> 10:59.840]  I believe that APSEC has actually fallen into a lot of the same traps that previous martial arts practitioners had.
[10:59.840 --> 11:04.840]  There was always this idea that, oh, my style is superior to your style.
[11:04.840 --> 11:08.460]  I'm going to go to your dojo and challenge your master, etc.
[11:08.460 --> 11:12.980]  And we have a lot of those same tendencies inside of security.
[11:12.980 --> 11:16.580]  Instead of senseis, we have thought leaders.
[11:18.340 --> 11:20.920]  I'm OK with that actually being an insult.
[11:20.920 --> 11:28.420]  I've been called that myself and I've probably been guilty of perpetuating some of the same problems that these thought leaders are doing.
[11:28.420 --> 11:31.120]  We are heavily relied upon dogma.
[11:31.120 --> 11:36.000]  There are some people like, oh, if you're not practicing DevSecOps, then you're not really practicing APSEC.
[11:36.000 --> 11:38.060]  Your security program isn't going to work.
[11:38.060 --> 11:42.940]  There are others that believe like, oh, you need to be following something that's from NIST.
[11:42.940 --> 11:45.620]  And that's how application security is supposed to be approached.
[11:46.400 --> 11:51.440]  Often we've kind of forgotten what the real point of application security is.
[11:51.440 --> 12:00.120]  When Jeet Kune Do, Bruce Lee thinks about this concept of, hey, the true purpose is to end the fight.
[12:00.120 --> 12:07.780]  Inside of application security, our true purpose is to actually create and have secure outcomes.
[12:07.860 --> 12:12.100]  Another issue that we have in application security is that we often get distracted, right?
[12:12.100 --> 12:15.040]  We're distracted by whatever the latest zero day is.
[12:15.040 --> 12:22.400]  Instead of actually really thinking about the common threads, like in Jeet Kune Do, Bruce Lee wanted people to focus on realistic fighting,
[12:22.400 --> 12:28.260]  not just these outliers and things like that, the things you're going to come across on a day to day basis.
[12:29.200 --> 12:31.960]  Also, we have similar problems with gatekeeping.
[12:32.700 --> 12:37.600]  You know, there's a lot more we can actually be doing to actually bring more people into application security.
[12:37.880 --> 12:42.680]  But we've always kind of perpetuated this myth, either intentionally or unintentionally,
[12:42.680 --> 12:46.920]  that AppSec is only for these blessed few and they have to look a certain way.
[12:46.920 --> 12:52.100]  They had to, you know, belong to certain crews and cliques or they had to have gone to a certain school.
[12:52.420 --> 13:00.700]  Ultimately, we've latched onto these ideas so hard and we've been so inflexible that we're really like a rock.
[13:01.640 --> 13:04.740]  Instead, we must be like water.
[13:06.920 --> 13:10.300]  So let's actually talk about Jeet Kune Do for AppSec.
[13:11.700 --> 13:15.960]  I want to start a little bit actually talking about the styles of AppSec.
[13:15.960 --> 13:19.380]  Right. There is the traditional style.
[13:19.500 --> 13:24.160]  And I think, you know, in particularly some of you that are older or maybe actually work in a large organization,
[13:24.160 --> 13:29.500]  you might actually be familiar with this. Generally, the traditional style is guided by compliance.
[13:29.500 --> 13:33.840]  Hey, what are the regulations? What are the things we have to do to check the box?
[13:33.940 --> 13:37.920]  It's heavily focused on testing and auditing.
[13:37.920 --> 13:46.260]  It works really, really well with more traditional SDLCs, like companies that are releasing software once or twice a year,
[13:46.260 --> 13:49.660]  probably still practicing a waterfall type methodology.
[13:49.660 --> 13:53.760]  Like I said, it's really, really common in large corporations.
[13:53.800 --> 13:59.600]  And because of that, they're often just focused on buying tools like, hey, let me go get a license for Fortify.
[13:59.600 --> 14:06.140]  Let me go get a really expensive license for some dynamic testing suite, etc.
[14:06.140 --> 14:09.460]  But there actually are a lot of good things about this style.
[14:09.460 --> 14:12.560]  Like one, it actually is predictable and repeatable. Right.
[14:12.600 --> 14:21.140]  And it's great because nobody is surprised by what is expected and what is going to happen when the application security team engages with them.
[14:21.140 --> 14:26.260]  You produce a lot of artifacts and a lot of evidence. That sounds like a lot of paperwork.
[14:26.300 --> 14:35.540]  But in particular, in heavily regulated industries, that is great when you have to deal with auditors because auditors actually understand it and it makes them happy.
[14:35.540 --> 14:40.740]  It allows for a lot of control over development and over the developers.
[14:40.920 --> 14:48.960]  And it makes executives at these large corporations really, really comfortable because they can always go back and say, look, we followed the best practices.
[14:48.960 --> 14:54.540]  We're doing what all the other large corporations are doing. Look at how rigid and in control we are.
[14:54.720 --> 15:00.040]  And that gives them a lot of comfort. It also is kind of a good way to have some deniability.
[15:00.740 --> 15:09.740]  One other good thing about it is because of this really, really aggressive, maybe oppressive, pops down style, is that it makes it really easy to have mandatory developer training.
[15:09.740 --> 15:21.840]  And I think everybody believes that when developers know more about security and developing good, secure software, they generally have fewer security vulnerabilities.
[15:22.120 --> 15:28.240]  Obviously, this isn't perfect. There's a reason why tons of people no longer use this methodology.
[15:28.240 --> 15:33.940]  One, it slows down developers. And that can definitely have an impact on your competitive advantage.
[15:34.000 --> 15:38.640]  It over, over, over indexes on compliance and process, etc.
[15:38.640 --> 15:47.160]  And oftentimes people and companies forget about addressing true risk because they're so worried about checking boxes.
[15:47.860 --> 15:51.440]  These are the kind of situations where you have to have a large AppSec team.
[15:51.440 --> 16:01.080]  There's no way that you can actually do these many reviews, do this much process with a 4, 5, 10, even a 15-person AppSec team.
[16:01.140 --> 16:09.580]  The other big thing is that that part that the execs like, that deniability aspect, it's not the same as actually being secure.
[16:09.620 --> 16:15.440]  Yes, just because you won't get carted away to jail when you're in front of Congress, etc. after your breach,
[16:15.440 --> 16:22.840]  it doesn't mean that you actually did the right thing by your customers and by the rest of the ecosystem that relies upon you.
[16:22.860 --> 16:26.400]  Another thing is that it also kind of separates the security team from the developers.
[16:26.560 --> 16:36.680]  And oftentimes the security team doesn't really understand the code base or the product because they're really focused on trying to just find holes and go through a process.
[16:37.000 --> 16:41.600]  And that can also lead towards a lot of conflict with developers.
[16:41.600 --> 16:46.420]  And finally, at least personally, I find this style to be soul crushing.
[16:46.940 --> 16:52.400]  You know, this is part of my job when I was at Bank of America, and it really can be confining.
[16:52.400 --> 16:59.060]  And also having that antagonistic relationship as somebody who identifies as an engineer just isn't fun.
[17:00.260 --> 17:10.000]  What a lot of people actually practice now is kind of like this DevSecOps, DevOps, you know, whatever acronyms you want to use, security engineering, etc.
[17:10.000 --> 17:13.840]  This more agile application security type practice.
[17:13.840 --> 17:18.220]  It's a great thing in the aspect that it really is heavily guided by engineering.
[17:18.400 --> 17:26.200]  And that's really, really good. Having an application security team that is our engineers and can relate to engineers just pays dividends.
[17:26.500 --> 17:30.440]  The security team is there to actually just, you know, kind of like you write code and design systems.
[17:30.440 --> 17:41.700]  They really are about building golden paths, building safe defaults, other things that actually just make a developer's life much easier because the developer doesn't have to worry about security as much.
[17:41.700 --> 17:56.540]  I was often also focused heavily on this idea that if you can build the right golden path, then the developers can actually have a lot more freedom to exercise their creativity and actually launch interesting and good products.
[17:56.540 --> 18:04.800]  You see this style very much in startups or probably the best way to describe it is Silicon Valley style technology companies.
[18:04.860 --> 18:08.240]  But I love the fact that it does have this engineering first focus.
[18:08.440 --> 18:12.740]  You know, it's like I said, it's a lot of good that comes out of this because code scales.
[18:12.740 --> 18:21.260]  And what that means is you can also have a really, really lean security team and they can move kind of close to the developer speed.
[18:21.260 --> 18:27.560]  You can get a really, really good understanding of the code and what the actual product goals are by the security team.
[18:27.560 --> 18:33.500]  And that allows the AppSec team to really make pragmatic choices in some of the things that they're building.
[18:33.600 --> 18:40.480]  And also they're more focused on preventative measures as opposed to just purely detective measures, which is more like the traditional style.
[18:40.960 --> 18:43.980]  As much as I love this style, it isn't perfect either.
[18:43.980 --> 18:50.500]  Like one of the big things is that oftentimes because there's not a huge paper trail or a lot of things are actually more innovative,
[18:50.500 --> 18:57.540]  it's hard for external regulators to understand. And that can lead to gaps and potential issues and sometimes even fines.
[18:59.060 --> 19:03.120]  Because often these security teams are really, really lean.
[19:03.560 --> 19:10.780]  You can find yourself in a scenario where even if you have a lot of high caliber security engineers, they still get overwhelmed by the developers.
[19:10.780 --> 19:16.500]  In general, the broader development team is still going to be larger than your AppSec team.
[19:16.500 --> 19:22.780]  And then finally, when I put my pointy-haired hat on or pointy-haired boss hat on or whatever,
[19:23.420 --> 19:29.860]  it's difficult to actually find really, really good AppSec engineers that can code, understand security,
[19:29.860 --> 19:37.980]  understand how to actually build things that make developers easier. And those AppSec engineers tend to be a little bit more expensive.
[19:38.780 --> 19:45.800]  There's another style, though, that I find interesting, and I think a lot of you have probably been there before or at least know people that are there,
[19:45.800 --> 19:53.700]  which is a style called the pleading and prayer style. And this is generally characterized by a company that's more guided by cost.
[19:53.700 --> 20:00.720]  These generally tend to be smaller companies, maybe like a really, really small startup, like maybe less than 10 people.
[20:00.720 --> 20:04.140]  Like they're not they don't think they're ready yet for a security team.
[20:04.140 --> 20:13.420]  And also some companies that don't consider themselves technology companies, like maybe it's an architectural firm or a law firm or maybe it is a financial institution.
[20:13.420 --> 20:20.540]  And so they don't really think they deal with software. They don't think that they have application security type problems.
[20:20.820 --> 20:25.100]  You know, they don't think they're regulated. So there's no external pressure on them as well.
[20:25.100 --> 20:31.600]  And when security needs do arise, they rely more on this kind of like volunteer firefighter department type method.
[20:31.600 --> 20:35.660]  One of the good aspects of one of the things that makes it attractive about it is that it's cheap, right?
[20:35.680 --> 20:40.200]  You're not paying for security people. It's cheap, right?
[20:40.200 --> 20:48.620]  Less headcount. You're not buying tools. All these are the kind of things that can pile up that can seem like costs that are unnecessary because, you know,
[20:48.620 --> 20:53.660]  security can appear to be invisible unless something goes wrong.
[20:53.940 --> 20:57.260]  Ultimately, you know, statistics actually kind of on their side.
[20:57.260 --> 21:02.060]  But the reality is, is that most companies don't have a significant breach.
[21:03.340 --> 21:06.260]  There are definitely bad aspects of this, though, right?
[21:06.260 --> 21:10.580]  You know, literally you get what you pay for. I've told people this time and time again.
[21:10.780 --> 21:13.840]  Cheap security is generally expensive security, right?
[21:14.540 --> 21:17.340]  Statistics are on your side until they are not, right?
[21:17.340 --> 21:22.460]  When you roll the dice the wrong time, that one time it can be dramatically consequential.
[21:22.620 --> 21:26.680]  And when you don't have an AppSec team, you now find yourself in a bind.
[21:26.680 --> 21:32.620]  A lot of these companies forget that they are still utilizing software or writing software,
[21:32.620 --> 21:38.320]  even if it's a tiny amount that can still have some impact to their business and ultimately to their customers.
[21:38.860 --> 21:48.820]  No one in the company is even aware because no one in the company is focused on software security until something goes wrong.
[21:48.820 --> 21:54.700]  You know, one of the things that I've learned long ago is that ultimately software is eating the world.
[21:54.700 --> 22:02.600]  And that's what allows us to be so innovative. And that's also what allows us to have a virtual DEF CON here in COVID land.
[22:04.720 --> 22:09.240]  One thing that you notice about this, though, is that all of these styles work.
[22:09.240 --> 22:17.200]  They all work. As I mentioned, statistics kind of show that most companies don't get breached.
[22:17.200 --> 22:26.760]  Now, I say they all work. That doesn't necessarily mean that they're all secure and that it delivers the same level of security and resilience as some of the other styles.
[22:26.760 --> 22:32.000]  But the reality is, is that, yeah, a lot of people can get by with any of these models.
[22:32.000 --> 22:37.400]  And in some cases, these models are really well tuned for the exact business need that's there.
[22:37.540 --> 22:42.160]  So, you know, that's actually a good thing, right? That's something that they all have in common.
[22:42.160 --> 22:47.460]  They also have another thing in common. All of these styles fail.
[22:47.860 --> 22:56.440]  They all break down at some point, depending on actually what's going on in the company, depending on actually what's going on in the ecosystem.
[22:56.460 --> 23:04.260]  So if you are in a more traditional organization that's actually practicing a more regimented style of security and AppSec,
[23:04.260 --> 23:10.900]  what happens when you get a new VP of engineering or a new CTA that wants to be more agile and is hiring like really aggressive developers
[23:10.900 --> 23:16.600]  and wants to move to a style where there's kind of like continuous delivery?
[23:17.760 --> 23:25.040]  That traditional security team just kind of breaks. When you think about this DevSecOps style slash agile style,
[23:25.040 --> 23:34.580]  what happens when these companies do get much bigger and they are heavily regulated and they now have to have a lot more process?
[23:34.580 --> 23:37.040]  How do you keep your AppSec people more engaged?
[23:37.040 --> 23:41.980]  How do you actually deal with the bureaucracy that is now being forced down on you?
[23:41.980 --> 23:48.340]  On the pleading and parasite, it fails because, yeah, eventually something might go wrong.
[23:49.120 --> 23:53.320]  So what do we need to do about this?
[23:53.560 --> 23:58.780]  One of the things that has to recognize is that we as application security practitioners,
[23:58.780 --> 24:05.260]  we need to change based on the circumstances of what's going on in the company that we're in
[24:05.260 --> 24:10.700]  or the company that we may be joining. So for me,
[24:10.700 --> 24:17.720]  I could not use the same style of application security that I practiced at a bank when I moved to a company like Twilio.
[24:17.720 --> 24:26.560]  That's extremely agile, right? You know, when I was just a lowly engineer working in a meteorology center,
[24:27.040 --> 24:31.700]  that style of kind of like the, you know, plead and pray methodology.
[24:31.720 --> 24:37.260]  Yeah, I can't use that inside of a bank where it's heavily regulated. You know, the world is constantly changing.
[24:37.260 --> 24:43.160]  Threats are constantly changing. Where I go in my career and where you may go in your career is going to change.
[24:43.160 --> 24:47.800]  And what that means is that if you're too dogmatic, you will ultimately fail.
[24:48.540 --> 24:53.300]  As I mentioned, you also have to take into account who your adversaries are.
[24:53.300 --> 25:00.760]  You have to recognize that some of the things that are structured for a heavily regulated company and who they believe that they are,
[25:00.760 --> 25:04.080]  you know, targets from like organized crime, et cetera,
[25:04.080 --> 25:09.060]  how those adversaries operate might be very different than how an adversary might operate
[25:09.060 --> 25:14.460]  for a social media company or some other quote unquote Silicon Valley style company.
[25:14.460 --> 25:21.300]  And so you need to be aware of that when you are designing and building and practicing application security inside these companies.
[25:21.300 --> 25:29.360]  The other thing to take into account is that even though you might understand your adversary today, your adversary is always changing.
[25:31.840 --> 25:38.740]  So one of the things that I think we have to come back to and one of the things I want to borrow and I have borrowed from Bruce Lee
[25:38.740 --> 25:45.740]  is this idea of focusing on realistic fights or essentially realistic scenarios, right?
[25:45.740 --> 25:52.440]  You need to base your APSEC program on the actual likely threats and not make some of the mistakes I've seen in the past.
[25:52.540 --> 26:00.600]  It's really common to go into an organization and see that, oh, they're practicing traditional APSEC, heavily regimented,
[26:00.600 --> 26:05.900]  and they're giving embedded C programmers OWASP top 10 security training.
[26:05.900 --> 26:11.280]  That makes no sense at all, right? You need to actually modify based on what the company is looking like.
[26:11.280 --> 26:17.940]  You need to also regularly review and adjust those threat models, because as I said, your adversaries are changing, your infrastructure is changing.
[26:17.940 --> 26:30.040]  The world around you is not static. So these static, dogmatic styles of application security also need to change as well.
[26:30.040 --> 26:38.520]  And don't make any mistake about it. All of the styles are dogmatic, even the ones that claim to be agile.
[26:38.520 --> 26:43.640]  Some of the things that I think are useful inside of organizations is going back and really understanding the past,
[26:43.640 --> 26:48.360]  getting a better understanding of where vulnerabilities have happened previously.
[26:48.420 --> 26:54.980]  So you can actually start really getting engaged of what's important to the company, to the customers and how you commonly make mistakes,
[26:54.980 --> 26:59.760]  because those are the realistic fights that you've been in. And so that's what you need to practice for.
[26:59.760 --> 27:02.820]  And you also need to go back and actually say, like, well, what is it we really own?
[27:02.820 --> 27:07.780]  What are the key assets here and what kind of adversaries are going to be attracted to that?
[27:07.780 --> 27:13.260]  I mean, you can probably have a good idea of who your adversaries might be if you are moving billions of dollars a day.
[27:13.260 --> 27:19.920]  You may not understand who your adversaries are going to be if you're running social media or if you just have a cat picture website or those kind of things.
[27:20.700 --> 27:25.700]  Even though this is DEF CON and there's a lot of interesting talks, definitely go check them out.
[27:25.700 --> 27:39.120]  Don't let the zero days distract you too much, because often what's going to impact you are the 90, 180, the 365 day vulnerabilities that you haven't fixed yet.
[27:41.420 --> 27:53.240]  The other thing I really like about Jeet Kune Do is that Bruce Lee really wanted to focus on the outcome of a fight, the actual intent, and the intent is to end the fight.
[27:53.240 --> 27:59.780]  For us as application security practitioners, the intent is to provide secure outcomes.
[27:59.780 --> 28:03.860]  And you should do that with the least amount of energy and the most direct path.
[28:03.860 --> 28:08.320]  An interesting thing about Jeet Kune Do is that Bruce Lee introduced things like groin strikes.
[28:08.320 --> 28:11.420]  He introduced eye pokes because he's like, hey, I want to end the fight.
[28:11.420 --> 28:18.540]  I don't need to care about what's the proper way or what is the dogmatic way or what the proper style is.
[28:18.540 --> 28:23.560]  And that means that you should be very open to using whatever tool is the most sufficient.
[28:23.560 --> 28:30.420]  So if pen testing gives you quick results, that gives a lot of value for you and you can actually fix security issues, use that.
[28:30.420 --> 28:34.240]  If static analysis gives you better results, use that.
[28:34.240 --> 28:39.460]  People are going to harass me about this later, especially those that know me personally.
[28:40.100 --> 28:42.440]  It hurts to even say this.
[28:42.720 --> 28:48.280]  If a WAF will help you solve security problems, you should use a WAF.
[28:49.560 --> 28:52.240]  I just I need a break.
[28:53.000 --> 28:56.480]  Even security unicorn here doesn't believe I just said that.
[28:56.720 --> 29:10.180]  But it is true, right? Because you need to get rid of ego, even my ego, and focus on the real goal, which is secure outcomes, not the practice, the outcome.
[29:10.200 --> 29:14.140]  That's what we want. We want secure outcomes, not security practices.
[29:14.140 --> 29:21.720]  Some good security practices can lead to secure outcomes, but you should not heavily index on that.
[29:23.520 --> 29:31.900]  You also need to make sure that you and your application security team are also continually preparing, continually conditioning.
[29:31.980 --> 29:40.360]  Bruce Lee believed heavily that you should always be ready and training for a fight because you don't know when it's going to occur and you don't know what it's going to look like.
[29:40.360 --> 29:49.180]  And if you're not practicing some of the fundamentals and if you're not practicing being ready, then you will always be on your back foot, which sets you up for failure.
[29:49.180 --> 29:59.540]  We have to remember that application security software itself, how we design and build software and infrastructure, is changing daily.
[29:59.540 --> 30:05.980]  And the things that you learned today or the things you learned five years ago may not actually be useful tomorrow.
[30:05.980 --> 30:11.460]  Now, there are some fundamentals and some principles and things like that that I do believe continue to be useful.
[30:11.480 --> 30:15.340]  Like I think threat modeling, that's just to me, it's just common sense.
[30:15.340 --> 30:18.480]  It's like, yeah, you should know who your opponent is. What is it you're training for?
[30:18.480 --> 30:24.180]  Or at least broadly, what kind of fight are you training for or kinds of fights?
[30:24.180 --> 30:28.700]  What does your environment look like and what are the things that you know that you could probably predict now?
[30:29.380 --> 30:33.880]  I, you know, obviously I have a static analysis background and just general code understanding background.
[30:33.880 --> 30:38.140]  So, yes, I still love analyzing code because it actually has so much return value for you.
[30:38.140 --> 30:46.280]  It allows you to really get a good indication about what's going on in your ecosystem and what are potential problems that may occur.
[30:46.460 --> 30:49.020]  This is, yeah, it's aka know yourself, right?
[30:49.020 --> 30:51.800]  If you don't know yourself, how can you actually know how to actually improve?
[30:52.540 --> 31:00.040]  Adversarial simulation in whatever format you want that to occur in, red team, pen testing, whatever, tabletop exercises.
[31:00.040 --> 31:02.780]  You want to constantly be training, constantly sparring.
[31:02.780 --> 31:10.160]  And then there's also probably one of the more important things in particular in application security, which is effective communication.
[31:10.820 --> 31:21.460]  Application security wins and fails by its ability to convey risk in a way that other people in the organization can understand.
[31:21.460 --> 31:25.840]  To bring them along in that journey, you actually have true allies that are going to be proactive,
[31:25.840 --> 31:31.920]  that can actually reach into all those places where you don't have enough time or don't have enough insight and understanding.
[31:31.920 --> 31:37.940]  Having allies in a fight is always a good thing. I don't understand anybody that wants to have a one-on-one fight.
[31:38.840 --> 31:44.380]  The idea of a fair fight is just dumb, right? You should always have an advantage by any means necessary.
[31:44.640 --> 31:49.420]  And the thing that you should remember is that these are the philosophies of your attackers, right?
[31:49.420 --> 31:56.340]  An attacker isn't going to say like, oh, well, this bank practices this traditional style of security.
[31:56.340 --> 32:00.020]  So I need to make sure that, you know, my attack matches that.
[32:00.020 --> 32:06.780]  No, no, they're not going to do that. They're going to use whatever is most efficient to get them the results that they want.
[32:10.500 --> 32:17.360]  An important thing that Bruce Lee believed was this idea that not only should he be teaching others,
[32:17.360 --> 32:21.060]  but he should be learning from others and learning from his students,
[32:21.060 --> 32:26.740]  because the people that we actually interact with in application security, regardless of where they come from,
[32:26.740 --> 32:31.140]  all have something that we can learn from. And when you're bringing people along on the journey,
[32:31.140 --> 32:37.080]  it can also help you refine your understanding of application security and find out where your gaps are,
[32:37.080 --> 32:41.760]  or maybe even be introduced to new concepts that you may have never even considered before.
[32:42.600 --> 32:49.140]  I, you know, obviously, you know, I'm not a big fan of some of the security gatekeeping that goes on, and I've been guilty of it myself.
[32:49.140 --> 32:55.580]  But what I have learned is that security comes in all shapes, forms, sizes and backgrounds.
[32:55.580 --> 33:00.060]  And you can have somebody that doesn't even have a programming background.
[33:00.060 --> 33:05.460]  That's a phenomenal application security practitioner. You can have somebody that was maybe just a network engineer.
[33:05.460 --> 33:14.460]  You can even have somebody that was working at a front desk at a company bringing significant value to an application security team.
[33:15.040 --> 33:19.980]  The gatekeeping bothers me also because everybody was a noob.
[33:19.980 --> 33:23.940]  There is nobody out there that was not a noob at some point.
[33:23.940 --> 33:29.760]  And anytime new technology is introduced, you're in that position again of being a newbie.
[33:29.760 --> 33:36.160]  So we just got to get rid of the egos, y'all. The more we can invest in broadening the ecosystem,
[33:36.160 --> 33:42.560]  the more we can invest in bringing more and more people along, the better our AppSec journey is going to be.
[33:42.560 --> 33:45.380]  Because we have more allies. We have more coverage.
[33:45.380 --> 33:53.920]  And you also get maybe a little bit of time back to maybe explore some of those zero day things that you're interested in that I previously said,
[33:55.000 --> 34:03.660]  you know, some of the things you can also take away from teaching others and bringing more people into application security is that when you understand everybody else's journey,
[34:03.660 --> 34:08.640]  you get to understand a little bit more about your own journey. And when you start listening to other people,
[34:08.640 --> 34:16.120]  you also learn more things you can incorporate into things like threat modeling, incorporating the things like abuse protection.
[34:16.120 --> 34:20.960]  Like we see this action in the world today with regards to some of the things like privacy, for example.
[34:20.960 --> 34:34.840]  At least anecdotally, I've noticed that teams that are more diverse actually have better attitudes around privacy because there are more opinions about how various features and functions impact people based on what their life is like.
[34:34.840 --> 34:42.920]  I know that me as a six foot one black male, I have a different threat profile than a five foot one woman.
[34:42.920 --> 34:47.300]  And what I want on the Internet or from an application may be different.
[34:47.300 --> 34:54.540]  Somebody may be in a an abusive relationship and they're worried about stalkers and that's a different profile.
[34:54.540 --> 35:02.140]  If you don't have people on the team that can bring those things to the table, then you're actually you're simply operating at a deficit.
[35:02.460 --> 35:10.920]  You really want to also make sure you're pushing yourself outside of your comfort zones and dipping into other areas of the business.
[35:10.920 --> 35:22.420]  As a good application security practitioner, the more you can learn about the business and more you can learn about your co-workers, the better you can actually serve your company and the better you can actually serve the ecosystem.
[35:24.990 --> 35:33.350]  Finally, one of the big things is really what I'm arguing for here is that AppSec needs to be flexible.
[35:34.130 --> 35:43.790]  If you practice just one style, if you are too dogmatic, then you will always be on the back foot and you won't be able to adjust to new threats in the landscape.
[35:43.790 --> 35:58.370]  You won't be able to adjust to new jobs. You will have a difficult time migrating from a heavily regulated industry to a slightly regulated industry or like a small startup, etc.
[35:58.370 --> 36:07.170]  And vice versa, if you're like a startup and you're like, hey, I'm all about agile and DevSecOps, etc. That is good at a startup in some cases.
[36:07.190 --> 36:12.730]  But when you go to a heavily regulated industry, you might run into a lot of friction and you might run into a lot of problems.
[36:12.770 --> 36:20.490]  So one of the other things that I think is useful for that flexibility is also understanding really what is important to you.
[36:21.590 --> 36:24.990]  People are probably going to be a little bit unhappy about this.
[36:24.990 --> 36:32.330]  Be flexible about where you actually want to invest your security resources and your security care.
[36:32.590 --> 36:46.130]  Occasionally, that means like, yeah, you might want to tell a developer that it's OK to do a release without a full security review because really the developer is just adding an extra button on the website or an extra image on the website.
[36:46.130 --> 36:57.670]  And instead of delaying them with a 20, 40, 60, 80 hour application security static analysis scan, you're like, oh, just go ahead and ship it.
[36:57.670 --> 37:02.490]  Still be happy. You'll be happy. And ultimately, it allows you to actually get some goodwill.
[37:02.490 --> 37:05.490]  So you can also focus on the bigger problems.
[37:05.490 --> 37:17.470]  You also need to be aware that, yeah, you might have to be flexible, in particular if you're one of the more agile DevSecOps type operations, when new bureaucracy comes in.
[37:17.470 --> 37:21.310]  You might have additional regulations. We've experienced that in the recent future.
[37:21.310 --> 37:25.510]  I'm in California and CCPA is a recent and new regulation for us.
[37:25.510 --> 37:29.530]  A lot of people already experienced GDPR. It's a new and recent regulation.
[37:29.630 --> 37:33.890]  And it's not something that you were able to opt in or opt out of.
[37:33.890 --> 37:43.450]  As I mentioned, you should think a lot about being flexible to have compromises in some of the smaller security recommendations.
[37:43.530 --> 37:51.710]  So you can actually have resources to get focused on the bigger risk and the bigger security regulations and security concerns.
[37:51.710 --> 38:03.870]  So, for example, if you dump a static analysis scan in front of somebody that has 10,000 findings and you're like, oh, you need to fix every single one of those,
[38:04.710 --> 38:08.270]  you're going to quickly find yourself being walked out the door.
[38:08.270 --> 38:11.210]  But if you can get them to actually focus on, hey, you know, this is actually really important.
[38:11.210 --> 38:14.430]  These are the high critical vulnerabilities and there's only 10 of them.
[38:14.430 --> 38:21.870]  Please just focus on those. You get a lot more buy in and ultimately you really are reducing risk and reducing the significant risk.
[38:21.870 --> 38:26.750]  And that's really what we want to do as application security practitioners.
[38:33.610 --> 38:37.850]  So there is no singular way to practice AppSec.
[38:37.850 --> 38:41.530]  There is value to be had in multiple approaches.
[38:41.530 --> 38:46.030]  There are no single profiles that make good AppSec practitioners.
[38:46.030 --> 38:53.770]  Many perspectives and backgrounds are valuable. Your approach must match the immediate situation.
[38:54.330 --> 38:59.090]  Being rigid in AppSec does not work.
[39:07.560 --> 39:14.960]  I said empty your mind. Be formless, shapeless, like water.
[39:15.540 --> 39:22.000]  Now you put water into a cup, it becomes the cup. You put water into a bottle, it becomes the bottle.
[39:22.000 --> 39:25.220]  You put it in a teapot, it becomes the teapot.
[39:25.260 --> 39:31.200]  Now water can flow or it can crash. Be water, my friend.
[39:31.880 --> 39:35.460]  So thank you for taking a little bit of your time out today.
[39:35.460 --> 39:40.360]  I'm really, really, really looking forward to interacting with some of you online.
[39:40.380 --> 39:45.400]  Hopefully answering some questions. Hopefully maybe even being challenged about some of the things that I said.
[39:45.400 --> 39:52.640]  As I mentioned, I can't teach you anything. I can tell you about my opinions and about my journey.
[39:52.640 --> 40:02.440]  But I would be even more hypocritical than I already am if I told you that I have the answers to this and that there's one particular way that you need to practice AppSec.
[40:02.440 --> 40:15.920]  Be like water. Adjust to your environment. Fill the container that you will be poured into and give the security that you really, really want to deliver to others.
[40:15.920 --> 40:25.560]  Thank you so much. I really, really, really do appreciate having the opportunity to speak to you and for those of you that even made it to the end of this talk.
